The SAP threat landscape is always growing thus putting organizations of all sizes and industries at risk of cyberattacks. The idea behind SAP Cyber Threat Intelligence report is to provide an insight into the latest security threats and vulnerabilities.

Key takeaways

July’s set of SAP Security Notes consists of 23 patches with the majority of them rated medium.

The most severe vulnerabilities of this month affect SAP POS, a point of sale solution. The vulnerabilities allow attackers to Read/write/delete sensitive information and even monitor all content displayed on a receipt window of a POS remotely without authentication.

SAP Security Notes – July 2017

SAP has released the monthly critical patch update for July 2017. This patch update includes 23 SAP Security Notes (12 SAP Security Patch Day Notes and 11 Support Package Notes).

11 of all the Notes were released after the second Tuesday of the previous month and before the second Tuesday of this month. 5 of all the Notes are updates to previously released Security Notes.

4 of the released SAP Security Notes have a High priority rating. The highest CVSS score of the vulnerabilities is 8.1.

Issues that were patched with the help of ERPScan

Below are the details of the SAP vulnerability, which was identified by ERPScan team.

Multiple Missing authorization check vulnerabilities in SAP Point of Sale (PoS) (CVSS Base Score: 8.1). Update is available in SAP Security Note 2476601. An attacker can use a Missing authorization check vulnerability to access a service without any authorization procedure and use service functionality that has restricted access. This can lead to an information disclosure, privilege escalation, and other attacks.

A Missing authorization check vulnerability in SAP Host Agent (CVSS Base Score: 7.5). Update is available in SAP Security Note 2442993. An attacker can use a Missing authorization check vulnerability to access a service without any authorization procedure and use service functionality that has restricted access. This can lead to an information disclosure, privilege escalation, and other attacks.

Multiple vulnerabilities (Cross-site scripting and Cross-site request forgery) in SAP CRM Internet Sales Administration Console (CVSS Base Score: 6.1). Update is available in SAP Security Note 2478964. An attacker can exploit a Cross-site scripting vulnerability to inject a malicious script into a page. The malicious script can access cookies, session tokens and other critical information stored and used for interaction with a web application. An attacker can gain access to user session and learn business-critical information; in some cases, it is possible to get control over this information. Also, XSS can be used for unauthorized modifying of displayed content. Moreover, an attacker can use a Cross-site request forgery vulnerability for exploiting an authenticated user’s session with a help of making a request containing a certain URL and specific parameters. A function will be executed with authenticated user’s rights.

About Multiple Missing Authorization Check in SAP Point of Sale

SAP POS, a client-server point-of-sale (POS) solution from the German software maker, is a part of its Retail solution portfolio, which products are in use at 80% of the retailers in the Forbes Global 2000.

From a technical point of view, SAP POS consists of Client applications, Store Server side (server connective, operative and administrative needs) and applications running in the head office to allow central configuration.

The described malicious actions can be performed over the network without authentication.

The vulnerabilities were rated at 8.1 by CVSS base score v.3, with all 3 impact metrics (Confidentiality, Integrity, and Availability) assessed High

According to the rules of responsible disclosure, ERPScan doesn’t disclose technical details to allow SAP customers a period of time to patch the issues. Researchers who identified the vulnerabilities will deliver a talk at Hack in the Box Singapore (August 24) where they will demonstrate an attack vector against SAP POS.

Other critical issues closed by SAP Security Notes July

The most dangerous vulnerabilities of this update can be patched by the following SAP Security Notes:

2453640: SAP Governance, Risk and Compliance Access Controls (GRC) has a Code injection vulnerability (CVSS Base Score: 6.5). Depending on code type, attacker can inject and run their own code, obtain additional information that should not be displayed, modify data, delete data, modify the output of the system, create new users with higher privileges, control the behavior of the system, or can potentially escalate privileges by executing malicious code or even to perform a DOS attack.
Install this SAP Security Note to prevent the risks.

2409262: SAP BI Promotion Management Application has an XML external entity vulnerability (CVSS Base Score: 6.1). An attacker can exploit a Cross-site scripting vulnerability to inject a malicious script into a page. The malicious script can access cookies, session tokens and other critical information stored and used for interaction with a web application. An attacker can gain access to user session and learn business-critical information; in some cases, it is possible to get control over this information. Also, XSS can be used for unauthorized modifying of displayed content.
Install this SAP Security Note to prevent the risks.

2398144: SAP Business Objects Titan has an XML external entity vulnerability (CVSS Base Score: 5.4). An attacker can use XML external entity vulnerability to send specially crafted unauthorized XML requests which will be processed by XML parser. An attacker can use a XML external entity vulnerability for getting unauthorized access to OS filesystem.
Install this SAP Security Note to prevent the risks.

Advisories for these SAP vulnerabilities with technical details will be available in 3 months on erpscan.com. Exploits for the most critical vulnerabilities are already available in ERPScan Security Monitoring Suite.